About

Hi, I’m Sergei!

I am a researcher interested in security, privacy, and scalability of blockchains and related technologies.

Since September 2023, I am a protocol research engineer at Waku. I work on incentivization for P2P communication protocols. Waku is part of Institute of Free Technology (IFT), perhaps better known as supporters of Status, a decentralized messaging app.

My CV (updated 2024).

The multi-faceted design space of blockchain technologies has fascinated me since 2013. I have contributed to peer-reviewed papers on a range of topics that include:

vulnerability detection in Ethereum smart contracts;
P2P-level transaction clustering in Bitcoin, Monero, and Zcash;
denial-of-service and privacy attacks in the Lightning Network.

I did my PhD at the University of Luxembourg (CryptoLUX group), where I defended my thesis (presentation video) in 2020. I later worked as a postdoctoral researcher at Chaincode Labs. I also co-host Basic Block Radio – a deeply technical blockchain podcast in Russian with 170+ episodes so far.

My research journey

Before 2016: Vulnerability detection

In 2013, I got my Masters degree in applied mathematics and systems programming from the Moscow State University (Faculty of Computational Mathematics and Cybernetics).

In 2013–2016, I was a full-time information security analyst at SmartDec. My tasks included aggregating information about best practices in various programming languages and formalizing dangerous coding patters for our vulnerability detection tool.

I fell into the Bitcoin rabbit hole in late 2013. In my spare time throughout 2014–2016, I wrote for a popular Russian-language cryptocurrency website Bitnovosti, and helped film a documentary about cryptocurrency adoption in Europe.

2016–2017: Bugs in Ethereum contracts

In 2016, I started a PhD program at the University of Luxembourg. My first research topic was the security of Solidity smart contracts. The main results of that period were Findel and Smartcheck.

Findel is a functional domain-specific language (DSL) for financial contracts on top of Solidity. The key idea is to think of a contract as a tree-like structure of elementary operations. The leaves correspond to monetary sums, and the nodes reflect the conditions under which the payments are made. The benefit of a functional DSL, compared to a Turing-complete language, is that it’s easier to analyze and write securely.

Smartcheck was among the first papers on automated security analysis for Solidity code. We proposed a comprehensive classification of bugs in Solidity contracts known at the time, including the infamous re-entrancy vulnerability that destroyed The DAO in 2016. We developed a tool that detects said vulnerabilities, and tested it on a large set of real-world contracts.

2018: P2P-level deanonymization in Bitcoin and friends

In 2018, I studied the P2P layer of Bitcoin and privacy-focused cryptocurrencies (Zcash, Dash, and Monero). The research question was: what information can a well-connected adversary extract from the P2P layer? In the resulting paper, we described a method by which an attacker can cluster transaction that had originated from the same node based solely on their P2P propagation patterns. We successfully clustered our own transactions using patched node software running on geographically distributed servers.

2019–2022: Lightning Network’s security and privacy

In 2019, I became interested in scaling blockchains with second-layer protocols and payment channel networks in particular. I decided to focus on the Lightning Network – the major L2 effort in the Bitcoin ecosystem. During this time, I studied two somewhat related issues: probing and jamming.

Balance probing allows for estimating a remote channel balance by sending unsolicited fake payments. This behavior should not be possible but is hard to discourage, as failed payment attempts are free. We introduced a mathematical model to quantify the amount of information an attacker learns, and applied it to the previously unstudied case of parallel channels.

Channel jamming is a denial-of-service attack where an adversary blocks victim’s channels by initiating payments but not finalizing them. Similar to jamming, the absence of fees for failed payments make attack costs trivial. We proposed a new fee scheme that includes upfront unconditional fees, and measured its effectiveness in a simulation.

I also contributed to a chapter on security and privacy for “Mastering the Lightning Network”.

Publications

My publications with citation counts etc are listed on Google Scholar. My talks and conference presentations are on my YouTube channel.

2024

H. Cornelius, S. Tikhomirov, A. Revuelta, S. P. Vivier, A. Challani. The Waku Network as Infrastructure for dApps. Presented at DLT 2024 on 15 May 2024.
A. Revuelta, S. Tikhomirov, A. Challani, H. Cornelius, S. P. Vivier. Message Latency in Waku Relay with Rate Limiting Nullifiers. To be presented at IEEE DAPPS 2024 in July 2024.

2022

C. Shikhelman, S. Tikhomirov. Unjamming Lightning: A Systematic Approach.

2021

A. Biryukov, G. Naumenko, S. Tikhomirov. Analysis and Probing of Parallel Channels in the Lightning Network. Presented at the Financial Cryptography and Data Security 2022 on 3 May 2022 (pre-recorded video, slides, thread).
R. Pickhardt, S. Tikhomirov, A. Biryukov, M. Nowostawski. Security and Privacy of Lightning Network Payments with Uncertain Channel Balances.

2020

S. Tikhomirov. Security and Privacy of Blockchain Protocols and Applications (doctoral thesis). Defended on 17 September 2020 (slides, video).
S. Tikhomirov, R. Pickhardt, A. Biryukov, M. Nowostawski. Probing Channel Balances in the Lightning Network.
S. Tikhomirov, P. Moreno-Sanchez, M. Maffei. A Quantitative Analysis of Security, Anonymity and Scalability for the Lightning Network. Presented at the IEEE Security and Privacy on the Blockchain workshop (affiliated with EuroS&P) on 7 September 2020 (video).

2019

A. Biruykov, S. Tikhomirov. Deanonymization and linkability of cryptocurrency transactions based on network analysis (PDF, slides, video). Presented at the 4th IEEE European Symposium on Security and Privacy (EuroS&P) on 17 June 2019.
A. Biruykov, S. Tikhomirov. Security and Privacy of Mobile Wallet Users in Bitcoin, Dash, Monero, and Zcash (PDF). In Pervasive and Mobile Computing, special issue on blockchain technologies.
A. Biruykov, S. Tikhomirov. Transaction Clustering Using Network Traffic Analysis for Bitcoin and Derived Blockchains (PDF, slides). Presented at the 2nd Workshop on Cryptocurrencies and Blockchains for Distributed Systems (CryBlock) on 29 April 2019.

2018

S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy, R. Takhaviev, E. Marchenko and Y. Aleksandrov. SmartCheck: Static Analysis of Ethereum Smart Contracts (PDF, slides, video). Presented at the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain on 27 May 2018.
A. Biruykov, D. Khovratovich, S. Tikhomirov. Privacy-preserving KYC on Ethereum (PDF, slides, video). Presented at the 1st ERCIM Blockchain Workshop on 9 May 2018.

2017

S. Tikhomirov. Ethereum: State of knowledge and research perspectives (PDF, slides, video). Presented at the 10th International Symposium on Foundations & Practice of Security on 24 October 2017.
A. Biruykov, D. Khovratovich, S. Tikhomirov. Findel: Secure Derivative Contracts for Ethereum (PDF, slides, video). Presented at the 1st Workshop on Trusted Smart Contracts on 7 April 2017.

2016

С. Тихомиров, Я. Александров, Е. Марченко, Л. Сафин. Поиск закладок в программном обеспечении (S. Tikhomirov, Y. Alexandrov, E. Marchenko, L. Safin. Finding undocumented features in programs). «Защита информации. Инсайд» №3, 2016 (abstract)

Media appearances

English

2024-06-04: Waku: a generalized P2P communication protocol with ZK-based rate limiting (ETH Belgrade Talk and Workshop)
2024-05-24: Secure communications with Waku (ETHBerlin04 Workshop)
2024-05-22: How R&D can solve critical privacy challenges (Web3 Privacy Now meetup, c-base, Berlin)
2022-11-23: Clara and Sergei – solving Lightning jamming (The Chaincode Podcast)
2022-06-21: The Lightning Network Will Checkmate the World - Sergei Tikhomirov (Connect The World)
2022-02-16: Sergei Tikhomirov and Lightning privacy (The Chaincode Podcast)
2021-07-09: Sergei Tikhomirov on Lightning Network Privacy (Monero Talk)
2020-04-21: Researchers Surface Privacy Vulnerabilities in Bitcoin Lightning Network Payments (Coindesk)
2020-04-17: Researchers Highlight Privacy Issues With Lightning Network (Cointelegraph)
2020-04-16: Wallet balances on Bitcoin’s Lightning Network aren’t private, new report says (Decrypt)
2018-04-27: The Bitcoin boom and blockchain breakthrough (in SnT Annual report 2017)
2017-05-15: Uni.lu: SnT Team Wins Big at Hackathon